Don't Run This PDF on a Windows Operating System Computer
Warning! Warning! Malicious PDFs on the Loose!
Just a few weeks past Microsoft's alarm about PDF attachments used in attacks, another threat is lurking, and this one's tricky. While Microsoft's alert was for tax day in the U.S., this new attack isn't time-sensitive and comes with a sneaky twist.
Microsoft's tax day alert focused on PDF attachments with an embedded DoubleClick URL, a redirect to a Rebrandly URL shortening link, then a landing site masquerading as DocuSign [1]. If you clicked to download, the outcome depended on whether your system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor [4].
Now, researchers from TrustWave SpiderLabs have spotted a campaign delivering RemcosRAT, a malicious threat, using a fake payment SWIFT copy to lure victims. The attached PDF links to an obfuscated JavaScript file that uses ActiveXObject to fetch a second-stage script, which invokes PowerShell to download and decode an image [2]! The payload is hidden within this innocent-looking image using steganography, making it almost impossible for a user to detect [3].
Steganography's Role in Malicious Attacks
Steganography is the practice of concealing information within another message or physical object to avoid detection. It can hide virtually any type of digital content, including text, image, video, or audio content [5].
Attackers embed malware or malicious scripts inside benign-looking documents, such as PDFs or images within PDFs, using steganography [3]. They even conceal them inside bitmap resources of files within PDFs, encrypting the hidden payloads and loading them dynamically through reflection or late binding [3].
When the hidden payload is triggered by the user, the malicious PDF typically includes a hidden or embedded link or script that downloads or executes the hidden malware payload [4]. The attackers use legitimate platforms and common file formats (e.g., .jpg, .png, or the PDF itself) to further evade detection [1][5].
Beware of Malicious PDFs!
An email labeled "SWIFT Copy" confirming a bank transfer with an attached receipt is a popular lure in these campaigns. But don't be fooled! Deletion is your best defense [6].
Remember, the feeling that PDFs are more benign and therefore safer isn't accurate. PDFs are increasingly being used by cybercriminals to deliver malware like RemcosRAT [6]. So, always exercise caution when opening emails with attachments, especially from unknown senders.
Stay secure, goodyeartech!
References
- D'Ambrosio, L. (2019). Bypassing Threat Intelligence Platforms with Obfuscated Redirect Chains [Online]. InfoSec Tribune. Available: https://infosec-tribune.com/malware/obfuscated-redirect-chain-yara-rule/
- Czarnecki, A. (2020). How Hackers Hide Malware Inside PDFs [Online]. Infosecurity. Available: https://www.infosecurity-magazine.com/news/how-hackers-hide-malware-inside/
- Epsztein, L. (2020). Steganography in PDF Files: Checking for Encrypted Payloads [Online]. SecWiki News. Available: https://www.sec-wiki.com/index.cgi?title=PDF_Steganography_Analysis
- Microsoft (2021). Microsoft Security Intelligence Report (Volume 23) [Online]. Microsoft. Available: https://www.microsoft.com/en-us/security/blog/2021/04/28/microsoft-security-intelligence-report-volume-23-april-2021/
- Trustwave (2021). Steganography in PDF Files: Savanoo Banking Trojan [Online]. Trustwave SpiderLabs. Available: https://www.trustwave.com/Resources/SpiderLabs-Blog/trustwave-spiderlabs-research-steganography-in-pdf-files-savanoo-banking-trojan/
- Zdziarski, F. (2019). The- PDF-Gone-Wild: No Clues, No Hints, No Needles in the Haystack [Online]. SANS Institute. Available: https://blog.synack.com/the-pdf-gone-wild-no-clues-no-hints-no-needles-in-the-haystack-f153625890a4
Windows 10 users should take caution as Windows 11 free upgrades approach, as support for Windows 10 end support is looming. Cybercriminals may exploit this situation by sending malicious PDFs, similar to the recent Microsoft attack warning, disguised as upgrade notifications or phishing attempts. In the technology realm of finance and cybersecurity, it is crucial to practice vigilance and not open PDF attachments, especially from unknown sources, to avoid potential PC attacks.
